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The Differential-Phase-Shift (DPS) and the Coherent-One- Way (COW) are among the most prac- 
tical protocols for quantum cryptography, and are therefore the object of fast-paced experimental 
developments. The assessment of their security is also a challenge for theorists: the existing tools, 
that allow to prove security against the most general attacks, do not apply to these two protocols 
in any straightforward way. We present new upper bounds for their security in the limit of large 
distances (d > 50km with typical values in optical fibers) by considering a large class of collective 
attacks, namely those in which the adversary attaches ancillary quantum systems to each pulse or 
to each pair of pulses. We introduce also two modified versions of the COW protocol, which may 
prove more robust than the original one. 

I. INTRODUCTION 

Over the recent years quantum cryptography evolved from nice physics to a technology that could revolutionize the 
science of secrecy. The basic idea, as formulated by Bennett and Brassard in 1984 (BB84), was based on the use of 
individual qubits quickly "translated" to individual photons. Given the lack of convenient single photon sources, 
most experiments use instead weak laser pulses. However, it was then realized that such sources sometimes emit 
multiphoton pulses and are thus in danger of photon- number-splitting (PNS) attacks 0- The cheap counter-measure 
to PNS attacks is to reduce further the intensity of the weak laser pulses, but this solution leads to secret bit rates 
that scale quadratically with the quantum channel transmission coefhcient, r (x t^. Hwang found an elegant way 
out of this drawback, suggesting using more than one intensity jsj . This method, called decoy state implementation, 
allows one to achieve a linear secret key rate, as for the historical single-qubit protocols 

The BB84 protocol in all its implementations, several variations thereof — two-state [1], six-state @|, SARG04 
3, protocols using higher-dimensional systems [8|, etc. — and all the corresponding entanglement-based versions 
9|, share a common feature: they all send quantum symbols one by one. However, convenient telecom laser sources 
emit either a continuous train of pulses (mode-locked lasers), or a continuous wave (cw) that can be formatted by an 
intensity modulator into trains of pulses. This observation led to new protocols for efRcient quantum key distribution 
(QKD) like the Dijferential-Phase-Shift (DPS) and the Coherent- One- Way (COW) protocols. In both 

protocols a continuous train of weak laser pulses is sent from the sender, Alice, to the receiver. Bob. In the DPS 
protocol the intensity of the pulses is constant, but the phase modulated. In the COW protocol, the phases of all 
pulses are constant, but their intensity modulated. The DPS and the COW protocols are so-called distributed-phase- 
reference protocols: the intervention of an adversary, Eve, is monitored by measuring the coherence between successive 
non-empty pulses. Both protocols are robust against PNS attacks, because these can be detected [ll,[l3]; security has 
also been studied against individual attacks [13, 1511 and more recently against some form of intercept-resend attacks 
based on unambiguous state discrimination jla . [itI . [isj . However, security against the most general attacks is still 
elusive: the tools, that have been developed in the last decade to tackle this, cannot be applied in any straightforward 
way, because both protocols move away from the symbol-per-symbol type of coding. 

The purpose of this paper is to analyze the security of the COW and the DPS protocols against a large class of 
collective attacks in the long distance regime (i.e. when the transmission coefficient t is small). This study leads also 
to define variants of the COW protocol, which make it more robust while keeping its simplicity. 

The paper is structured as follows. In Section |TT1 we recall the COW and DPS protocols, as well as some notions 
of security bounds. In Section [1111 we present the bound for security against the beam-splitting attack (BSA) treated 
as a collective attack. In Section ITVl we study a family of attacks that generalize the BSA by introducing errors. The 
basic idea is that the adversary, Eve, attaches ancillary quantum systems to each pulse or to each pair of pulses. For 
these attacks, bounds for security are provided in the limits of large distances, typically d > 50 km. These upper 
bounds on the secret key rates scale linearly with t. 
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II. DEFINITIONS AND TOOLS 

The source, on Alice's side, produces weak coherent pulses. A non-empty pulse is written \a), its mean photon 
number /i = jap. The transmission coefficient of the quantum channel connecting Alice and Bob is t, the efficiency of 
Bob's photon counters is rj; we neglect the effects of dark counts and dead times of the detectors. Accordingly, in the 
absence of Eve, when Alice sends |a). Bob receives \y/ta) and has a probability 1 — e"^*'' (« iitrj in the Hmit iit <C 1) 
to detect a photon. 

A. The COW and DPS codings 

In the COW protocol, each bit is coded in a sequence of one non-empty and one empty pulse: the bit value is 
coded in the sequence |a)|0), the bit value 1 in the sequence |0)|q;). These two states are not orthogonal because of 
the vacuum component, and can be unambiguously discriminated in an optimal way by just measuring the time of 
arrival. This is the very simple data line, in which the raw key is created. The quantum bit error rate (QBER) Q is, 
as usual, the probability that Bob accepts the wrong value of the bit: in physical terms, this means that Bob has got 
a detection in a time slot, in which Alice has sent an empty pulse. To estimate the loss of coherence in the channel 
(and thence Eve's information), a fraction of the light is sent into a monitoring line, consisting of an unbalanced 
interferometer. The phase between the two arms is chosen so that two consecutive non-empty pulses sent by Alice 
should always interfere constructively in one output port (and be detected with probability > 0) and destructively 
in the other one {poi = 0). The departure from this ideal situation is measur ed by the visibihty V = of the 

interference pattern observed for two consecutive non-empty pulses. Note that there is no a priori relation between 
Q and V. 

In the DPS protocol, Alice produces a sequence of coherent states of same intensity ...|e*''''="ia) |e*'^'=a) |e*'^'°+ia) ... 
where each phase can be set at — or (p = n. The bits are coded in the difference between two successive 
phases: &fe = if e^'^'' = e*'^''+i and bk = 1 otherwise. These two cases can be unambiguously discriminated using 
an unbalanced interferometer. The same interferometer provides the information about the lack of coherence in the 
channel, used to estimate Eve's information. Contrary to what happens for COW, the QBER Q and the visibility V 
of the interference pattern are tightly related in DPS through the relation Q = 

B. Three versions of COW 

In the original version of COW, the pairing of the pulses is known in advance; in addition to sending the two 
sequences that code for a bit value, Alice should also send decoy seguences \a)\a) with probability / in order to 
prevent a subtle form of photon-number-splitting attacks. Such sequences do not code for a bit value: therefore, if 
they give rise to a detection in the data line, this event must be eliminated in sifting. Throughout this paper we 
will set / ~ 0: in fact, all the bounds for security that we are going to use are valid only in the asymptotic limit of 
infinitely long keys, in which case an arbitrarily small amount of events is sufficient to produce meaningful statistics. 

Along with this original version, we introduce and study here two modified versions of COW, in which the pairing 
of the pulses is not known a priori by Bob, nor Eve. Alice and Bob's devices are the same as in the original version: 
Alice sends a train of empty or non-empty pulses; Bob measures the time of arrival on his data line and checks the 
coherence of successive non-empty pulses on his monitoring line. Only after the transmission, Alice announces the 
pairings publicly; the bit is accepted if Bob has got one and only one detection in the data line corresponding to that 
pair of pulses. Given this, the two versions differ in the possible choices of pulses to be paired. 

In COWml, Alice still pairs consecutive pulses: this makes it the closest analog to DPS. If she wants to use (almost) 
all the pulses, she will still send sequences |a)|0) or |0)|a), and sometimes introduce an unused pulse. In C0Wm2, 
Alice is allowed to pair any two pulses; obviously, all the pulses are used. There is no simple version of DPS that 
would be analog to C0Wm2, because in order to pair arbitrary pulses in DPS, Bob should arbitrarily change the 
unbalance in the interferometer 19]. 

Note that many other variants of COW can be imagined, as we mention in Appendix El 

C. Secret key rates 

We consider from now on that the two values and 1 are equally probable both in Alice's and in Bob's list; since 
this can be obtained by public communication, there is no loss in generality in this assumption. As said, the bound 
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for security against the most general attack by an eavesdropper has been elusive to date for both COW and DPS. 
In this paper, we are concerned with specific attacks, which of course define only upper hounds for security (i.e., it 
is guaranteed that one cannot obtain larger rates). In the family of attacks that we consider, Eve interacts with the 
pulses one-by-one or two-by-two, always with the same strategy. She is allowed to keep her ancillae in a quantum 
memory, and to extract the largest possible information out of them after Alice and Bob has run the classical post- 
processing. Therefore, we will compute the bound for security against collective attacks (as in most QKD studies to 
date, we compute this bound for the asymptotic case of an infinitely long raw key). 

For collective attacks, Devetak and Winter f20l| have shown that Eve's information on Alice's bits is bounded by the 
maximal capacity of a channel Alice-Eve, in which Alice would code her bit value a in the state p;^^". This quantity 
is called Holevo bound, and reads 

XAE ^ X Pi=') - S{pe) - \s{pi=') - \s{pi=') (1) 

where pE = ^PeT^ + ^PeT^ Eve's state and S is von Neumann entropy. A similar definition holds for Eve's 
information on Bob's bits. Concerning the Alice-Bob channel, the QBER is Prob(A B) = Q; in particular, for the 
conditional Shannon entropy it holds H{A\B) = H{B\A) — h{Q) where h is the binary entropy. The Devetak- Winter 
bound reads, for the secret key rate r: 

r = rsift[l - h{Q) - mm{xAE,XBE)] (2) 

where rsift is the sifting rate, i.e. the probability that Alice and Bob accept a bit; we suppose that the two protocols 
are run with the same repetition rate: the rates will be given "per time slot" (or "per pulse" , independently of whether 
the pulse is empty or not). We work in the trusted- device scenario, in which one assumes that Eve cannot modify the 
efficiency of Bob's detectors. Note that the whole analysis can be readily adapted to the untrusted- device scenario by 
replacing everywhere first 77 —s- 1, then t ^ trj. 



III. COLLECTIVE BEAM-SPLITTING ATTACK (Q ^ 0, V = 1) 

The Beam-Splitting Attack (BSA) translates the fact that all the light that is lost in the channel must be given to 
Eve. The attack consists in Eve simulating the losses 1 — i by putting a beam-splitter just outside Alice's laboratory, 
and then forwarding the remaining photons to Bob through a lossless line. Since it simulates exactly Bob's expected 
optical mode, the BSA introduces no errors (here, Q = and = 1) and is therefore impossible to detect plj . 

For both COW and DPS, Alice prepares a sequence of coherent states (^j, \ak)- each ak is chosen in {-|-a,0} for 
COW, in {+a,—a} for DPS. Bob receives the state {^j, \ak\/t): Bob's optical mode is not modified. Eve's state is 
(^j, |afcVl — t); let us introduce the notations ue = ol\/\ — i, pE — jo^Bp and 

^E = e-"" = e-^(i-*) . (3) 

When Bob announces a detection involving pulses k — 1 and k, Eve shall extract the highest possible information out 
of her systems, measured by the Holevo quantity ([1]). The information available to Eve differs for the two protocols, 
because of the different coding of the bits. 

In COW, the bit is when ak-i = a ,ak = and is 1 when at-i = , a/c — a; so, writing the projector on 
lip), we have Pe^^ = pf = -P+qb,o and Pe^^ — PeT^ = -Po,+«e; therefore, noticing that | 0|0, +aE) \ = 7e, we 

obtain 

XAE = XBE ^ xg°'^(A.,t) = ■ (4) 

Since in COW half of the pulses are empty, the secret key rate is given by 

rcow{p,t) = i (l-e-^*") [l-xg°^(A^,0] ■ (5) 

Since BSA is a pulsc-by-pulse attack independent of the pairing, the analysis is unchanged for COWml and C0Wm2. 
In DPS, the bit is when ak-i = ak and is 1 when ak~i — —ctk- So, with similar notations as above, we have 
= = ^P+aE:+aE + ^P-CE-aE and p^^'^ = p|=^ = ^P+aE-OE + ^P-ue.+oe', therefore, noticing that 

K+a^l — as) I =7!;, we obtain 

XAE-XBE^X^'M = 2h(^-^]-h(^-^] (6) 



4 



10° 



10'' 




20 40 60 80 100 20 40 60 80 100 

Distance (km) Distance (km) 



FIG. 1: Optimal mean photon number ^ and secret key rate as a function of the distance, for the Beam-Sphtting Attack on 
the COW and DPS protocols. Detection efficiency: rj = 0.1; Losses: 0.25 dB/km; no dark counts. 

and the resulting secret key rate is 

rDPs[^^.t) = (l-e-'^*") [l^xT'M] . (7) 

Both for COW and DPS, Alice and Bob should choose /i such that the secret key rate is maximized. We performed 
this one-parameter optimization numerically. Figure [T] shows the optimal choice for the intensity /i — ^opt and the 
corresponding secret key rates for the COW and the DPS protocols. 

One notices that the two protocols show similar behaviors against BSA. The optimal choice of fi is approximately 
twice as large for COW as it is for DPS; since in COW one pulse out of two is empty, the number of photons per bit is 
thus approximately the same. As for the secret key rates obtained for the respective /iopt, they are very similar, within 
a factor of two. The question, whether one protocol performs better than the other one, does not have a clear-cut 
answer: other practical issues should be taken into considerations. For instance, we did not consider for COW the 
fraction of the signal that should be sent through Bob's monitoring line, which will not contribute to the key. We 
did not consider the losses in Bob's interferometer neither: in DPS, they will decrease the secret key rates, while in 
COW, they will not alter the key rates. A more complete analysis should therefore lead to different factors before the 
given key rates, and the factor of two that appears here between the two protocols is not meaningful in itself. 

In the limit of large distances /it <C 1 (typically, for d > 50km p2||), the secret key rates under a BSA become 
linear in t-q {r — rotrj), and the /iopt tend to a constant value (dashed lines on Figured]). Specifically: for COW, 
fJ-opt — * 0.4583 and rg « 0.0714; for DPS, fiopt ^ 0.2808 and rp ~ 0.1182. Note that the attacks presented in the next 
Section of this paper shall be studied only in this limit, due to their complexity, and will coincide with the asymptotic 
limits for BSA when Q = and V — 1. 



IV. COLLECTIVE ATTACKS WITH Q > 0, V < 1 

In both COW and DPS, bits are coded in the relation between two successive pulses. In the study of upper bounds, 
a natural class of attacks is therefore the one in which Eve attacks coherently pairs of successive pulses. These we 
call "Two-Pulses Attacks" (2PA). In general, they are defined by 

[\ak-i)\ak)]A{k-i,k) ^ \£) E * Mo'k-i,ak])B{k-i,k),E (8) 

with the only constraint that the transformation must be unitary. This class is clearly too large to be parametrized 
efficiently. However, in the limit of large distances fit <^ I, multi-photon components on Bob's side are supposed to 
be negligible; and Bob will have to check, through the statistics of his detection rates (singles, double-clicks in two 
detectors etc), that this is indeed the case. In view of this, we restrict our study to the case where, for any two-pulse 
signal sent by Alice, Bob's Hilbert space consists only of the three orthogonal states |00) (no photon), |10) (one photon 
at time k — 1) and |01) (one photon at time k). 

In this Section, 2PA are studied on COW pYX]) . on COWml (|rVB|) and on D PS (|TVD|) . On C0Wm2, since there 
is no preferred pairing at all, we shall rather study "One-Pulse Attacks", IPA (jIV C|) . The resulting upper bounds 
will be computed numerically and compared pVEp . Unless stated otherwise, pure and mixed quantum states are 
normalized (in the limit fit <C 1) in all that follows. 
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A. Original COW coding: Two-Pulse Attacks 

1. Eve's Attack 

In the original COW protocol, the pairing of the pulses sent by Alice is publicly known. When Eve attacks the 
pulses two by two, we suppose that she does it according to the same pairing. The three sequences that Alice can 
send (bit 0, bit 1, decoy sequence) are modified by Eve's intervention as 

IVm,0)^|5) |00)Bl^A.o)g + V(i - Q)lJitms\p]%) ^ + VQ7^ |01)g|p°{,)^ 

where \vjk) ^ {j,k E {0, /i}) are the states that Eve attaches to the vacuum part of the signal, while \p]k) ^ and 
Ip'jl) ^ are the states that Eve attaches to the 1-photon part of the signal. While we have left Eve's states free (up to 
some constraints to be described soon) , we have fixed the probability amplitude of each term. These amplitudes are 
motivated by the expected behavior of an imperfect intensity modulator on Alice's side, which would prepare pulses 
of intensity (1 — Q)fJ. and Qa* instead of perfectly modulated intensities fi and 0. In this case, for each bit sequence 
sent by Alice we still have an average probability /ii that a photon arrives at Bob; in a fraction 1 — Q of these cases, 
it arrives at the correct time, in the other cases it arrives at the wrong time, whence Q is indeed the QBER. Again, 
Bob has to check that the multi-photon components are negligible. 

The relations between Eve's states are constrained by the requirement that the transformation must be unitary, 
and by the results of the parameter estimation (i.e. by the values of the visibilities). The requirement of unitarity 
reads (recall that we work in the limit fit ^ 1) 

{vo^\v^o) = , (wmm^a'd) = («A.Mbop) = e"^^^ ■ (10) 

The visibility in COW is measured only conditioned to the fact that Alice has sent two consecutive non-empty pulses. 
There are five such cases: the case of decoy sequences (two non-empty pulses in the same pair) and the four two-pair 
sequences {x,y) = (0^, /zO),(yLt/i-, /xO),(OyLt, /z/i),(/i/i, /i/i). The corresponding visibilities after Eve's intervention are 

V,, = Re[(p°},bi°)] , (11) 
V^y = Re[{v,\pl'){pl'\vy)] . (12) 

As an example, consider V^^. When Alice sends a decoy sequence \^/JI,^/JI), a detection in the interferometer at 
the correct timing should reveal the coherence between |10) and |01). After Eve's intervention, the action of the 
interferometer (non-normalized) reads 

mBK,)E + ^bIpIDe \Do){\Pll)^ + Ki)^) + \di){\pZ)e - Ki)E) ■ 

The probability that the photon going to Bob is detected by detector Dq (resp. Di) of the interferometer is proportional 
to po/i oc IIIp^'^)^ ± = 2 ± 2Re(p°^|p^°) cx 1 ± V^^^, whence pT|) . The visibilities V^y are computed in a 

similar way, considering that the interference across the pairing is due to the coherence between |01)|00) and |00)|10). 
In the present study, we suppose that Alice and Bob check that all these visibilities are the same: 

2. Eve's Information 

The task is to compute the information that Eve obtains when she performs the attack ©. For each bit detected 
by Bob, if Eve is interested in Alice's bit, her information is the Holevo quantity xae computed for p^^^ = (1 — 
QMo){p11o\+Q\p%){p%\ and = il-QMl){p°ol\+Q\ph°){p'ol\; if Eve is interested in Bob's bit, her information 
is the Holevo quantity xbe computed for p|=o = (1 - Q)bi"o>(piol + Q\phl){ph°^^ and p|=i - (1 - QMl.){Pol.\ + 
Q\P%) (p%\- These are formal expressions, whose value has to be optimized under the constraints (fTO| and (fT4|l . Now, 
none of the constraints (fTO|) . (|lip and (fT2|) on Eve's states involves |pj°) and |p°o). Eve can therefore choose these 
two states freely, and the best choice is obviously to take them orthogonal to one another and to all her other states, 
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in order to distinguish those cases perfectly. In this case, xae = Xbe = Q + — Q)x{Pp^l^Pp°^)7 that we write 
explicitly as 

Xcow = Q + {l-Q)h\ 1 I . (15) 

In particular, Eve has all the information on Alice's and Bob's bit when she introduces an error. 
So finally, the Devetak- Winter bound for 2PA on COW in the limit fit 1 reads 

rcow{Q,V) ^ rotT] with ro = ^fi ^ - h{Q) - xcow ■ (16) 
Note that rg does not depend on trj: the long-distance upper bound that we obtain is linear in t. 



B. COWml coding: Two-Pulse Attacks 



1. Eve's Attack 



We now consider the first modified version of the COW protocol (COWml). In this version, the coding still implies 
pairs of consecutive pulses, but the pairing is decided by Alice and Bob a posteriori. Thus, during the exchange of 
quantum signals, Eve does not know which pulses she should attack together: half of the times, her 2PA will therefore 
be applied on pulses that are not going to be paired to form a bit. In particular, now all four sequences of two 
consecutive pulses are possible: the transformation ^ must be complemented with a fourth line 

|o,o)^|£:) ^ mB\voo)E + VQi^H\'^o)B\ph°)E + mB\p°h)E) (17) 

where the choice of probability amplitude is dictated by the same considerations as above. The requirement of 
unitarity consists of (fTU]) and of the three additional constraints 

(wooKVm) = ^^'^ ' {vo()\Vf,o) = {voo\vo^) = e"^/^ . (18) 

The computation of the loss of visibility is identical to the case of the original COW, leading to ITTI) and (fT^ : as for 
that case, we shall impose (ITi|) . Note that the states |p°o), boo)' boo) ^'^^ enter in any of the constraints, 

and can therefore be chosen orthogonal to each other and to all other states. 



2. Eve's Information 



When it comes to computing Eve's information, two cases have to be treated separately: 

Case 1: the two pulses that code a bit have been attacked together by Eve. In this case, the computation of Eve's 
information is the same for the original COW protocol (jIV Ap . so X^ae ~ X^be given by 

Case 2: the two pulses that code a bit have not been attacked together by Eve. To study this case, we must consider 
four pulses. Writing j, k^j', k' € {0, 1} and neglecting as usual the two-photon terms, the transformation reads 

\j^,k^)^\j'^,k'^)^\££') ^{k + {~lYQ)^Jit\Qlm)B\p%^k^.^v,,^,u'^.)^ 

+ \j{r + (-l)-''Q)A^t|0010)5b,^,fe^,p]o,,,,^)^ + ... (19) 

The terms that we left out do not contribute, for we focus on the case where Bob detects a photon in one of the two 
middle time-slots and pairs precisely those slots. Moreover, a posteriori it is decided that pulses j' and k form a bit 
a, i.e. Alice must have used j' — \ — k = a. Depending on the sequence sent by Alice and on the bit detected by Bob, 
Eve's (unnormalized) state is thus 

^A={,,,','}.B=0 ^ (fc+ (-l)^Q)|p01 ^^^,.,.,,,,„,)(p01 (20) 
A={jk,'k'},B=l ^ ^ (-l)/g)|„^.^,,^,pip^_^.,^)(„^.^ ,^,pip^^^,J . (21) 
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Eve's (now normalized) states conditioned on Alice's or on Bob's bit become 



where a = 1 — a and 6=1 — 6, and where 



A— a ^ \ ^ A—{ja,ak'}.B—b /-, ^\ a.b—a , a,b—a /nn\ 

Pe4 =i2^Pe, = (1 - Q)Pe, + QPe, (22) 

PeT = \ E p1=^^'^-"''^'>'^='' ^ (1 - Q)p^f + Qp^f (23) 



As it happened for COW, and are orthogonal to one another and to the other two mixtures; therefore 
On average, each of these two cases happens with probability ^, so xae = Xbe is given by 



i-Q \Ji + W\pll)\ 



Xcowm, = |/,(^— ^ID^j +X(pk",pk'jj ■ (26) 
The Devetak- Winter bound for 2PA on COWml in the limit /i< <C 1 reads 

rcownii{Q,V) ^ rotr] with rp = ^ P - KQ) - Xcowryii ■ (27) 

C. COWm2 coding: One-Pulse Attacks 

1. Eve's Attack 

Let's now consider the second modified version of the COW protocol (C0Wm2). In this version, Alice and Bob 
check the coherence on successive pulses, but pair arbitrary pulses in order to define key bits. In this case, there is 
no longer any natural definition of 2PA: almost always. Eve's pairing shall not correspond to the pairing that defines 
a bit. Therefore, we obtain the upper bound on C0Wm2 considering One-Pulse Attacks (IPA): we suppose that Eve 
attaches a probe to each pulse sent by Alice, and performs the transformation 



|0)^|£> |0)BkQ)i; + %/ QA^|l)alPo )g 

Wa\^) ^ |0>Bl"M>B + v/(l-Q)M<|l>sMij ^ ^ 

where |wo/^t)^ are the states that Eve attaches to the vacuum part of the signal, while Ipo/ai)^; are the states that 
Eve attaches to the 1-photon part of the signal. The probability amplitudes are fixed according to the same physical 
considerations done for COW and COWml. The requirement of unitarity reads 

{v^\v,) = e-^/^ (29) 

The loss of visibility introduced by Eve's intervention is computed along the same lines as in IIV Al Suppose Alice 
sends a sequence in the limit /ii <C 1, where we neglect the 2-photon terms. Eve's intervention leads to 

100) 

BkAi)'^p)_E + \/(l Q)M^[|10)sbA"'^A')_E + |01)bI'^a"-Pm)_b] whence 

V = Re[{v^,p^\p^,v,,)]^\{v^\p^)\\ (30) 
None of these constraints involves |po), that can therefore be chosen orthogonal to all other states of Eve. 
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2. Eve's Information 

On any pair of pulses that define a bit, Eve's intervention has the product structure 

l\ U, 

(31) 



E ■ 



For each bit detected by Bob, if Eve is interested in Ahce's bit, her information is the Holevo quantity xae computed for 
PeT" = {^~Q)\Pi^,vo){Pf,,vn\+Q\Vf„pa){Vf„po\ and p^=^ = {l~Q)\vo,Pf,){vo,p^\+Q\po,Vfj,)(po,Vfj,\; if Eve is interested 
in Bob's bit, her information is the Holevo quantity xbe computed for p^^^ — (1 — (5)|P/j, vo){p^, vq\+Q\pq, v^)(po, w^j 
and =^ = {1 — Q)\vQ,p^){vo,Pi^i\+Q\Vfj_,po){Vf^,PQ\. Since \v^,po) and |po,i'^t) are orthogonal to one another and to 
the other states \Pfj,,vo) and \vo,Pfj,), we have xae = Xbe given by 



Xcow^2 = Q + il-Q)h ^^'7'^"^' . (32) 



1 + \{vo\pX 
2 

So finally, the Devetak- Winter bound for IPA on C0Wm2 in the limit /ii <C 1 reads 

rcowm2{Q, V) = rotT] with ro = ^p 1 - h{Q) - Xcowni2 ■ (33) 

D. DPS coding: Two-Pulse Attacks 

We turn now to the DPS protocol and derive an upper bound for security considering 2PA. The formalism is analog 
to the one described for the COWml protocol in subsection IIVBI so we go fast through many details. The main 
differences are of course those related to the protocol: the different coding of bits, and the link between Q and V. 

1. Eve's Attack 

We suppose that Eve attaches her probe to two successive pulses sent by Alice. Four two-pulse sequences are 
possible: with a,uj ^ {+,—}, Eve's intervention reads 

\a^,u:^)^\£) — . mB\^-^)E + ^M^^)B\pZ)E+^mB\pf.)E) (34) 

where \vclj) ^ are the states that Eve attaches to the vacuum part of the signal, while \p^Jl,) ^ and Ip^Db ^^''^ the states 
that Eve attaches to the 1-photon part of the signal (as before. Bob shall check that the multi-photon components are 
negligible). The transformation leads to the expected detection rate ptrj for each pulse. The constraint of unitarity 
reads 

{v++\v-) = (^;+_|^-_+)^e-4^ (35) 
{v++\v+-) = {v++\v^+) = {v^^\v+-) = {v^^\v^+) = e-^^^ . (36) 

The visibilities can now be computed for all possible sequences, since there are no empty pulses. Formally, the 
expressions depend on which sequence of pulses was sent, and on whether the two pulses that interfere belong to a 
same or to different sequences according to the pairing chosen by Eve. The resulting visibilities are 

y.. = M^V-JpZ)], (37) 

K^..'^' = Re[(«,^KL>(P^?.'Kv^')] ■ (38) 
Again, Alice and Bob shall check that all these visibilities are equal: for all cr, w, c', w' G {-!-, — }, 

= K^.^'c.' = V . (39) 
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2. Eve's Information 

As it happened for COWml, when it comes to computing Eve's information, two cases have to be treated separately: 
Case 1: the two pulses that contribute to the detected event have been attacked together by Eve. The evolution 
in Bob's interferometer is 0^ b\pZ) e + ^\^^) b\pII) e ^ Eh I A) iV'a.^.b)^ with IV'.,,.,;,) = c7\pZ) + (-l)'a;|pOi) 
(non-normalized). Writing _ Eve's normalized states conditioned on Alice's bit are 

— I J Pe^^'"^^'^~'^ ^^"i Pe7^ ~ i b Pe7^'^'^^'^~'' (where a — — ct); Eve's normalized states conditioned on 
Bob's bit are Pe^'' = ^J2a uj Pe7^'^^^'^~'^ ' ^^^^^ information for this Case 1 is then 

x^Il-x{pt'^PE7') , xfE = x{p%7\p^E7')- (40) 

Case 2. the two pulses that contribute to the detected event have not been attacked together by 
Eve. Then we have to study the four-pulse sequence, in which the bit has been produced by the inter- 
ference of pulses number two and three. The evolution in Bob's interferometer is ti;|0100)^|pJ^J^, fa-'i^')^; + 
a'|0010)B|z;,^,piV)^ E J with |^.,^,.^^^^,) - ^\pll)K'u') + {-lf^'K^)\pl'>,^,) (non- 

normalized). Writing p-^-i"''^-'^ ^ }'^-'^ — |'!/'cr,w,(7',w',6)(V'o-.w.(T'.w',b|; Eve's normalized states conditioned on Alice's 
bit are p^f = ^ E^,c^,c^',b and pj:f = ^ E^,c^,c^',6 p^=|'""'""' (where = -uj): Eve's normal- 

ized states conditioned on Bob's bit are pf^'' — ^ E<tw a' u' PEi^'^'^'" Eve's information for this Case 2 is 

then 

xfE-x{pi:',p^f) , xi'i=x(pir,pif). (41) 

Each of the two cases happens with probability i. Therefore, Eve's average information is 

(2) I (4) (2) (4) 

Xae + Xae ^, Xbe + Xbe /^o^ 
XAE = ^ , Xbe = ^ ■ (42) 

For the versions of COW, some of Eve's states could be immediately chosen as being orthogonal to all the other 
ones; there is no such simplification here. The Devetak- Winter bound for 2PA on DPS in the limit pt <C 1 reads 



roPsiQ, V) = rotri with tq = A* 



1 - y 

1 - hi — — ) - min(xA£;, Xbe) 



(43) 



E. Numerical Optimization and Comparison 

In the previous subsections, we have derived upper bounds for the secret key rate of COW (|16l) . COWml (|27p . 
C0Wm2 ((33|) and DPS (j43|l in the limit /ii ^ 1 of large distances. In this limit, all these bounds scale linearly with 
losses: r — rotrj, where only the constant factor rg depends on the protocol. Incidentally, we remind that for COWml 
and C0Wm2 we have supposed that Alice makes the pairings; if Bob would make them, the rates given above for 
these protocols should be divided by 2. 

At this point, we want to evaluate these bounds. This involves a double optimization: first, for a fixed value of fi, 
one has to find the strategy that maximizes Eve's information; then, one has to find the value of p that maximizes r — 
in our case, tq. The details, on how the optimizations over Eve's strategies were performed, are given in Appendices iBl 
[Cl [D1 and [El For COW and C0Wm2, these optimizations could be performed analytically, and we give the analytical 
expressions for Eve's optimal states. For COWml, the optimization was performed numerically, but we could find 
an analytical expression for Eve's states, in which there remains only three parameters to optimize. For DPS, only 
numerical optimizations could be performed. The second optimization (over fi) could only be done numerically in all 
cases. 



The results of the optimizations are shown in Figure [5] for the four protocols, as a function of V, and in the case 
Q = for all versions of COW. The effect of the QBER in the COW protocols is shown in Figures IH [5] and [6l 

As expected, when V = 1 and Q = 0, the attacks under study coincide for all protocols with the asymptotic limits 
for BSA. As it was the case for BSA, one notices similar behaviors for the COW and the DPS protocols, at least 
for high visibilities: the secret key rates (or the factors tq) are again very similar, within a factor of two. Again, we 
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FIG. 2: Hopt and ro as a function of the visibility V, for 2PA on the COW, COWml and DPS protocols, and for IPA on 
COWm2. For all versions of COW, we show here the curve for Q = 0. 
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FIG. 3: Secret key rates as a function of the distance, for 2PA or IPA on each protocol (for V = 0.98), compared to BSA. Same 
parameters as in Figure [l] Recall that the bounds obtained for 2PA and IPA are valid only in the limit of large distances. 

cannot conclude that one protocol performs better than the other one. The choice of which protocol to run should be 
motivated by various practical reasons that we did not consider here. Still, and as expected, the modified versions of 
COW provide better bounds than the original COW: Eve's attack is less efficient when Eve doesn't know how Alice 
and Bob will choose the pairing of the pulses. 

Finally, in order to get the secret key rates for a given distance, one just has to multiply the factor ro by trj. We 
show as an example in Figure [3] the rates that we get for each protocol in the case oi V = 0.98 (and still Q = for 
COW and its variations), compared to BSA. 



V. CONCLUSION 

We have provided new upper bounds for the security of the COW (the original and two modified versions) and the 
DPS protocols, in the limit of large distances. In all cases, the secret key rate goes as r w rotr] and scales therefore 
linearly with the transmission t of the channel; also, all the values of ro are similar, within a factor of two for high 
visibilities. Hence, at least given our present-day knowledge, the choice between any of these protocols should be 
dictated by practical reasons rather than by security concerns. 

The two modified versions COWml and C0Wm2, introduced in a very natural way in the context of this paper, may 
also prove very useful in the future to find the bound for security against the most general attack by the eavesdropper. 
Indeed, intuition suggests that the random a posteriori choice of the pairing may provide the symmetry argument, 
which would allow to use the exponential De Finetti theorem [231] . 
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APPENDIX A: OTHER POSSIBLE VARIANTS OF THE COW PROTOCOL 

In the main text, we introduced two modified versions of COW. More generally, many other variants can be defined, 
as we briefly mention in this Appendix. We give examples of such variants, that could be useful for future studies. 

There are two main motivations for looking at possible variants: one is to find a more efficient or more robust 
protocol (in the present case for instance, COWml and C0Wm2 were found to be more robust against the attacks 
under study); the other one is to find a protocol for which it should be easier to prove the security (for instance, a 
protocol with more symmetries, or where the signals that code for different bits would be more independent). 

In all the following variants, Alice and Bob use the same devices as in the original COW protocol: Alice sends a 
certain fraction q of weak coherent pulses (with an overall phase relationship) and a fraction I — q oi empty 

pulses |0); Bob measures the time of arrival on his data line and checks the coherence of successive non-empty pulses 
on his monitoring line. The only differences lie in the way the classical information is encoded, or in how the key 
reconciliation is performed. 

We do not provide here a security analysis for the following variants; nonetheless, in order to give a rough idea of 
how the various versions should perform, we estimate the sifting rate and the ideal mutual information per sifted 
pulse Tab between Alice and Bob in the limit of large distances {fit ^ 1), in the absence of an eavesdropper and 
without dark counts. The ideal key rate would then be r = TsIab- 

The simplest possible coding is that the logical bit value 1 is coded as a non-empty pulse | ^/JI) and the bit as an 
empty pulse |0). In such a simple coding, the raw key is as long as the entire train of pulses: = 1 (as for instance 
in continuous variable QKD [24]). However, even in the absence of an adversary and of dark counts, the error rate is 
large: Bob is very likely to fail detecting a non-empty pulse, and the quantum channel acts as a Z-channel, where the 
bit is always detected correctly, while the bit 1 has a high probability e"''*'' to be detected as a 0. Straightforward 
application of Shannon channel capacity shows that in the ideal case, Iab — h{qfitrj) — qh{fitri) « — (7log2 q fJ-trj. For 
the optimal choice of q — one finds: r « ^ utr] 0.53 fitrj. 

In practice, the main drawback of this basic protocol is the large error rate. In fact, while Iab can in principle 
be extracted by error correction (which we have supposed everywhere in this paper), real codes do not reach this 
bound and become very inefficient if the error rate is large. In other words, it is better to try and have fewer, better 
correlated signals, than to keep a lot of poorly correlated ones. One possibility to reduce this error rate is to include 
a sifting step: Bob would announce his qiitrj fraction of time slots where he got a click on his data line, along with 
another fraction /o where he had no click. In this case, the sifting rate reduces to = qiJ-trj + /o, but the fraction 
of errors to be corrected is also reduced. Depending on the practical efficiency of the error correction, one can try to 
optimize /q. 

When dealing with such a Z-channel, a way to symmetrize the errors is to code the logical bits into two physical 
symbols: '0'— > /iO, '1'— > O/i. In this prospect, the original coding of COW appears very naturally. Contrary to the 
previous version, there are no more errors due to the losses (Bob only keeps the cases where he had one detection), 
and in the absence of dark counts and of Eve Iab — 1, and r — rs- 

In the original version of COW, the pairs of pulses defining each classical bit are predefined. Alice sends pairs /iO 
or along with some decoy sequences /i/x (and possibly also sequences 00). When the fraction of decoy sequences 
is negligible, the sifting rate is = ^fitrj. 

A first possible variant of this original COW corresponds to COWml, where Alice still sends sequences /iO or O/i, 
but sometimes she introduces an unused pulse, so that the bit separations are not known in advance by Eve. Again, 
if the fraction of unused pulses is negligible, the sifting rate is = ^fitr]. 

Another variant would be that Alice sends a completely random train of pulses |0) and \^/]T)■ She then pairs 
consecutive pulses a posteriori. Here we lose a factor ^ in the sifting rate (r^ = jfJ'^v) because of the sequences 00 
and /i/i that Alice sometimes pairs together, but the security might be easier to analyze. 

In the previous two variants, one can also imagine that the pairs are not necessarily composed of successive pulses 
(such as in C0Wm2 for instance). This might be more robust against Eve's attacks, but this necessitates a large 
amount of information to be sent from Alice to Bob for the key reconciliation. 
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Also, one can imagine that it is Bob who chooses the pairing: when he gets a detection, he announces two time-slots 
(successive or not), and Alice checks that they correspond to a sequence fiO or 0^. Since Bob has approximately a 
probability | to announce two time-slots that correspond to a sequence /x/u instead, the sifting rate in this case is 

Finally, one can imagine that Alice and Bob use other (longer) sequences of pulses and |0) to encode their 

classical bits (or dits). All previous variations, whether the way the pulses are grouped is defined a priori or a 
posteriori, by Alice or by Bob, whether they group successive pulses or not, also apply to this more general variant. 

APPENDIX B: OPTIMIZATION OF 2PA ON COW 

We have to maximize xcow (|15p . i.e. to minimize | (Poj'jlpjio) L submitted to the constraints 

for the four two-pair sequences {x, y) — (0/i, /iO),(/i/i, /iO),(0/i, /i/i),(/i/i, /i/i). We notice that the states |p^o) |Poi)j 
whose overlap fully defines Eve's information, are related to the states |wpo) and |wom) through (|B2p . specifically 



Re[(«o^K)(pi°ol«A^o)] (B3) 

: DduifM^ IIJ-ioil ciiiu auLU uuai, | yj^''^ I -"1*^ ^ 

is minimal. Later, we shall check that we can find states \v^^), and in order to satisfy all the constraints 

0%) and \pII) 



So, we focus at first only on finding four states |w^io), ko^i), \p]m) and \p^^) that satisfy (|B3p and such that |(Po^|p^o/ 
is minimal. Later, we shall check that we can find states and 1^°)^) in ord 

(recall that the states Ip^^q) and |pou) are chosen to be orthogonal to all other states). 



1. Parametrization of Eve's states 

First, let's choose the first 2 basis vectors such that the states \v^q) and |wo/j) read 




bo.) = y j . (B4) 

Let's also define \vf) as the orthogonal state to \vj), in the same 2-dimensional subspace: 






(B5) 



We must have (|B3|) . Now, if (woMboi) (p^oI^mo) ^ then Eve could just add a global phase to \p]^q) for instance, 
and increase V without changing her information. This implies that Eve's maximal information compatible with V 
is obtained when the above quantity is real. Then we can write, for some factor A G [V, \/V] and some phase S IR: 

{v^iq\p]%) — VXV e^'^ and (woAiboAj) — \/V/Xe^'^. But since the phase (p does not play any role in Eve's information 
(which depends only on KPo/'ib/'io) I); can without loss of generality set it to 0. In conclusion, \pj^) and Ipq^'i) are 
of the form 



bio) = VXV\v^o)-VT^^cos9oe"f'"\vl^o)+VT^^sm9o\wo) (B6) 
lO = VWAbo^) - - ^/Acos0ie*"*MO + - V/Xsmdi\w,) (B7) 
where \wo) and \wi) are any states orthogonal to both |w^o) and |wo/x) and 9q,6i,4>q and 4>i are free parameters. 
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FIG. 4: COW, original version: fiopt and ro for 2PA, for different values of Q. 



2. Results of the optimization 



For 7 > 2y/V{l — V) (i.e. fi small enough) and V > 1/2, it can be proved analytically [25| that the minimum of 

l(pgibi"o>|is 



MMo)\ = (2F-l)7-2v/ni-^)VW 



(B8) 



0, in which case |pi"o) = V^|t;^o) - VT^Ko), bg,\> 



obtained for A = l,6'o ~ Oi ~ (f)o — 4> 
y/l^-V\v^^). Having maximized Eve's information, one can run the one-parameter optimization over the pulse 
intensity /i. The optimal choice /^opt and the corresponding value of tq are plotted in Fig. [H as a function of V and 
for different values of Q. 



We still have to check that we can find states \v,. 



10 < 



and that satisfy all the constraints. This is indeed 



the case. For instance, we complete the previous basis with a third orthogonal vector and choose 



with c 




(B9) 



The fact, that the minimum of KPoubuo)! '^^^ 



27 , 1-V /1-7 / 2V /1-7 l-V / 27 

TJp^ + \l T+V\J S - \j T+v\J T+V\J T+7- -^^^^^^-^^ ^^^"-^ uiic iiiiiiiiiiuiii ui \ \P0f,\f^,0l 

be reached without using the constraints that involve the sequence (/i, ji) means that the presence of decoy sequences 
does not increase the security o f COW ag ainst 2PA. 

Note finally that if 7 < 2^V{1 - V) oi \i V < 1/2, Eve can choose her states |p^o) and \pq]^) (for instance 



A = 1, cos 00 



1^0 



0) such that (pSjilpiO) 



0, in which case Eve can perfectly 



(l-V)7+2VV(l-V)Vl-7"' 

discriminate the two states: she has the full information on Alice and Bob's bit. Therefore, 7 > 2yJV{l — V) and 
F > 1/2 are necessary conditions for Alice and Bob to establish a secret key. 



APPENDIX C: OPTIMIZATION OF 2PA ON COWml 

We have to maximize xcowmi (|26p submitted to the constraints (jBip . (|B2[) and 

(wooIwmm) = '2"^ = 7 , (wooIwmo) («ookop) = e"^/^ . (CI) 
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1. Parametrization of Eve's states 



We write the states 




\ 



These states satisfy the constraints (|Bip and (IC1|) . We still have four states to consider 






(C2) 



) and \p\ 



,01 \ 
MM' 



(recall that the states |p°o), bo°)i Ip^^ ) and have already been chosen orthogonal to all other states). Therefore, 
Eve's states under consideration live in general in an eight-dimensional space. We have performed the numerical 
optimization over the most general choice of the four \p) states that satisfied the constraints (jB2|) . 



2. Results of the optimization 



The best attack we found can be realized by four-dimensional states and depends only on three free parameters 
9o, Oi, (p), that arc still to be optimized. Let's introduce the following vectors: 



/ 



1-7 \ 
2 

1+7 
2 






"Of,/ 



W2 




I 



MM / 



MM / 



1-7 \ 

1+7 





|W3 



Our best attack is then defined by 





1 

Vo 



|W4 



IpOl 



0^/ 

,01 \ 
MM' 



where 



w^o) 

10 \ 



\w 



01 \ 



W2 



(C3) 



(C4) 



(C5) 
(C6) 



(C7) 
(C8) 

(C9) 



cost^o P^To) + smt^o cost^i \W3) + siuOq smOi \W4) 
cos 00 l^'o^) + sin 00 cos^i jws) + sin 6*0 sin^i 1^4) 

■^{cos<l>\vl^^')+smcf>\v^-^))~^\ ' 
I -MM/ - ^(cost/'li'^^^) +sin<?!)|v^^2^) + -i= 

Note that these states satisfy a more constraining version of (|B2p : (p°},|p^'^) = V, (t'o/ibo^) = (^mm — (p^oI^mo) — 
(p^'^I^mm) ~ V^. Finally, the optimization over the three remaining parameters 9q,6i and (/) was performed numeri- 
cally. 

Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity fi. The 
optimal choice /iopt and the corresponding value of rg are plotted in Fig. O 



(CIO) 



APPENDIX D: OPTIMIZATION OF IPA ON COWm2 

We have to maximize xcowm2 (|32p . i.e. to minimize |(wo|p;^)|, submitted to the constraints 

{vo\v^) = e-^l\ (Dl) 
= V. (D2) 
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FIG. 5: COWml: fiopt and ro for 2PA, for different values of Q. 
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FIG. 6: COWm2: fiopt and ro for IPA, for different values of Q. 

The state |po) was already chosen to be orthogonal to the three other states; we have therefore to work in a three- 
dimensional Hilbert space. Without loss of generality, we choose the following parametrization, which ensures auto- 
matically that the constraints are satisfied: 







• 













(D3) 



VI - l^sin( 



actually the phase does not play any role, and we set it to be 0. So, for a given V and a given /i. Eve's states are 
parametrized by 9 and <j)- 



For e < 1 — V , Eve can choose — and cos 6 = y i-e-^* T^T^' which gives {vo\p^) = 0: in this case. Eve has 
full information on Alice and Bob's bit. A necessary condition for Alice and Bob to have secret bits is therefore to 
choose ^ such that > 1 — 1^. In this case, one can easily show that the minimum overlap is 



(D4) 



obtained by setting 9 ~ <f) ^ 0. 

Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity fi. The 
optimal choice /iopt and the corresponding value of ro are plotted in Fig. [6l 



APPENDIX E: OPTIMIZATION OF IPA AND 2PA ON DPS 



As mentioned in the main text, the optimization of Eve's information for a 2PA on DPS is more complicated than 
the one for COW, because we could not find any evident simplification and had therefore to start from the general 
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formal expressions. For this reason, we find it useful to sketch first the study of IPA on DPS — were it only to show 
that our optimization on the 2PA yields indeed a more strict bound. 



1. Optimization of IPA on DPS 

a. Eve's Attack and Information 

We have not studied IPA on DPS in the main text, but the pattern is the same as for all other attacks, so we just 
list the main points. Eve's attacks is defined by (with a e {+, — }) 

k^/M>^IO \^)BME + '^^mB\P'y)E (El) 

so the unitarity condition and the visibility constraints read 

{v+\v^) = e-^f" = 7 (E2) 
V(T,cc; e {+,-}, Re[{vM{pM] ^ V . (E3) 

This last condition implies (ti+|p+) = {v^\p^) — Vv e"^, for some (f) which won't play any role, and which we set to 
0; so we have 

(v+\p+) ^ (v^\p^) = W . (E4) 

Note how all the states participate in the constraints, contrary to what is the case in all versions of COW. 

To compute Eve's information, we start from Eve's conditioned states p'^-i'^^^'^-^ — |V-'(t,w,&) {4'a,uj,b\ with \4'a,uj,b) = 
ctIpct, vJ) + {—!)'' uj\vc,Puj) and the mixtures p°^^ — | ^A- {<y<y (a)}, B-b ^^^^^^ ^^^^ ^ (— l)°cr. Note that these states 
are not normahzed; rather, Tr(p^''') is equal to = 1 — Q if a = &, and to = QUa^b. Finally, = X^b Pe' 

and pf^^ = J^bPs'' (now normalized). Eve's information is given by xae = X {peT^'PeT^)' ^^'^ similarly for xbe- 



b. Parametrization of Eve 's states 



Eve's states can be chosen in a four-dimensional Hilbert space. First, let's choose a basis with the first two vectors 
in the subspace spanned by {jw-)-), and in which \v^) and \v-) read 



2 








(E5) 



so that ()E2p is satisfied. Let's also define as the orthogonal state to \v„), in the subspace spanned by 



V 



2 



(E6) 



The constraint (jE4p on the visibility implies that \pa) can be written as \pa) ~ VV\va) — \/l — Vlw^r), where \wa) is 
any (4-dimensional) state orthogonal to \va-); this can be further decomposed as \wa-) — cos ^o-e*'^" +81119^^111]'^) 
for some states \w'^) orthogonal to both and Finally we choose the last two vectors of the basis such that 

\w'^) and \w'_) read 



cos(6'/2)e*"^/2 
\ sin(6'/2)e*"^/2 J 



( 



\w'_) 



\ 



cos(6l/2)e-*'^/2 
\ -sin(0/2)e-''^/2 ) 



(E7) 
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In summary, for a given V and a given fi, we are left without loss of generality with the six free parameters 
9+,9-,9,(j)^,(l)^,(f> that define 

\pa) = VV\v,) - Vl~^cose,e'^'\v^) - VT^sin^^K) . (E8) 



c. Results of the optimization 

The optimization over the six free parameters was performed numerically. We find that Eve's optimal states have 
real coefficients (the parameters (j)±,4> can be chosen to be 0), and also that 9+ = —9^. Once we fix this, there 
remains only two free parameters to optimize. 

Having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity /i. The 
optimal choice fiopt and the corresponding value of tq are plotted in Fig. [71 along with the results for 2PA. In the case 
V ~ 1, this attack reduces to the BSA; in all other cases, the optimal IPA is manifestly less powerful than the best 
2PA we have found. 

Note that after optimization, we find xae < Xbe- Eve knows less about Alice's bit than about Bob's. 

2. Optimization of 2PA on DPS 

We now consider the 2PA on DPS, and we have to optimize xae and xbe as given in (|^^ . submitted to the 
constraints 

KujKo) = (vau^Kc.) = e-^^ = 7 , Kc^Kq) = e''^'' = 7^ , (E9) 

H(pZ\pZ)]^Mi^'^^\pZ){p'J^.'K'^')] = V (ElO) 
for all a,Lo,a' G { + ,—}. We see that all the twelve states of Eve appear in the expressions of the constraints. 



a. Parametrization of Eve 's states 
Without any loss of generality, we choose the following symmetric parametrization for Eve's four states \va 



\v++) = 



( ^ ^ 

1-7 




( \ 

1-7 




f '-f ) 

1-7 
2 




( T \ 

1-7 
2 













, l^-+> = 





V j 




^ j 











(Ell) 



so that (jE9p is satisfied. At this point, we would have to optimize over Eve's most general states \p^1j) and |p°Jj) that 
satisfied the constraints (jElOp . In general, these eight states live in a 12-dimensional space, and the number of free 
parameters is quite large. 

In order to have a more tractable problem, we make some assumptions (admittedly, we lose generality here). First, 
we look for states that satisfy a more constraining version of (jE10[) . namely 



\yauj It', 



10 X 

CTCJ/ 



V 



V 



for all fj^Lj. Then we can write 



\pZ) = Vvw^)-VT^\wZ) 



(E12) 

(E13) 
(E14) 



with {Vcrui\w, 



01 



\w. 



10 ' 



and {w^J\wZ) = 0- Note that this may not be a true restriction: actually, for all 



the cases treated above, an analog choice was found to be optimal. A more serious restriction comes now: we suppose 
that the eight states \wZ) and live in a 6-dimensional space and are parametrized only by real coefficients. At 

this stage, we run the numerical optimization. 
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FIG. 7: fiopt and ro for IPA and 2PA on DPS. 



b. Results of the optimization 

After having maximized Eve's information, one can run the one-parameter optimization over the pulse intensity fi. 
The optimal choice ^opt and the corresponding value of vq are plotted in Fig. [71 along with the results for IPA. In 
the case V — 1, this attack reduces again to the BSA. 

We didn't run the optimization aver all possible states, but we believe that our results are very close to the optimal 
bounds we could get for 2PA on DPS. Anyway, even though we might have missed the true maximum of Eve's 
information, the attack we found and the curves that are plotted still provide valid upper bounds, more strict than 
the bounds given by IPA on DPS. 

Note finally that as for IPA, we find after optimization xae < Xbe- Eve knows less about Alice's bit than about 
Bob's. 
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